[lug] How to implement Authentication on Disparate OS?

David L. Willson DLWillson at TheGeek.NU
Fri Jul 15 15:22:50 MDT 2011 

It seems like if a person has access to Machine A, they're not a spoofer. They're Machine A, which is what you're trying to insure.

What do you want to be certain of? A particular user? A particular program?

You might take a TiVo approach and send the fingerprint of the program doing the submission.

Or, you could use an automatic keyed ssh to periodically download a changing password, which your program reads and sends before it submits it's data, and then set Machine B to only accept data preceded by that password.

David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS
Freedom is better when you earn it. Learn Linux.

----- Original Message -----
> From: "Bear Giles" <bgiles at coyotesong.com>
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List" <lug at lug.boulder.co.us>
> Sent: Friday, July 15, 2011 9:13:18 AM
> Subject: Re: [lug] How to implement Authentication on Disparate OS?
> 
> 
> Authentication is a deep problem so you definitely want to build on
> top of something that already exists - don't just toss in a few
> calls to a crypto library and call it a day. Even a minimal system
> needs to be able to handle sniffing, man-in-the-middle and replay
> attacks. That's not even the full list, e.g., denial-of-service
> attacks or DNS cache poisoning or countless other things.
> 
> If you still want to do it from scratch (or this is a homework
> problem) look at the Kerberos protocol. It's been used on multiple
> OS for years and Microsoft "enhanced" it for AD.
> 
> 
> 
> On Fri, Jul 15, 2011 at 8:23 AM, Lori Reed <
> lorireed at lightning-rose.com > wrote:
> 
> 
> 
> On 07/14/2011 09:57 PM, Davide Del Vento wrote:
> > Machine A must have something that the spoofer can't have. E.g. a
> > private key with which something is signed and send to Machine, who
> > verify it's coming from A using A's public key.
> 
> I'm no security wonk, but shouldn't the data itself be encrypted to
> defeat packet sniffing, and wouldn't that solve the original problem
> as
> stated?
> 
> Lori
> 
> 
> 
> 
> > On Thu, Jul 14, 2011 at 20:34,< siegfried at heintze.com > wrote:
> >> Can someone suggest what I might google search for to learn how to
> >> implement
> >> a secure connection between two machines?
> >> Machine A is running freebsd and an application written in perl
> >> that needs
> >> to record a ticket in a database on machine B.
> >> Presently, machine A is sending the username and other information
> >> thru a
> >> perl socket to machine B. Machine B records the information,
> >> including the
> >> username in a database. If you have the perl source code running
> >> on machine
> >> A, it is pretty easy to spoof machine B into thinking you are
> >> someone else
> >> when you submit the ticket.
> >> How would I subvert a would be spoofer?
> >> 
> >> What features are available in freebsd or Linux that could make
> >> this secure?
> >> Let's assume these machines are on the same domain controller.
> >> Now what if machine B is a windows machine? (Can linux or freebsd
> >> authenticate with a windows domain controller? I think they can.)
> >> I think SAMBA supports windows named pipes. Is this a possibility?
> >> I don't
> >> even know what to google search for.
> >> Thanks,
> >> Siegfried
> >> 
> >> _______________________________________________
> >> Web Page: http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: irc.hackingsociety.org port=6667
> >> channel=#hackingsociety
> >> 
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667
> > channel=#hackingsociety
> > 
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety

More information about the LUG mailing list